The State of Enterprise IT Security Podcast: Ep. 24: Healthcare Edition: Securing Patient Data, AI vs. Traditional Cybersecurity, IoT Challenges in Healthcare

Cybersecurity The State of Enterprise IT Security Podcast: Ep. 24: Healthcare Edition: Securing Patient Data, AI vs. Traditional Cybersecurity, IoT Challenges in Healthcare



Join Brad Bussie, Chief Information Security Officer at e360, as he addresses key IT security concerns in healthcare. In this episode of the 'State of Enterprise IT Security Edition,' Brad answers frequently asked questions about securing patient data, the pros and cons of AI-based cybersecurity tools versus traditional tools, and strategies for managing the security of IoT devices used in patient care.

Learn about encryption methods, access controls, the importance of tailored security training, and the need for a well-defined incident response plan. Additionally, explore the challenges and solutions associated with integrating AI in cybersecurity and securing IoT devices within healthcare settings.


Listen to the Episode:


Watch the Episode:


Key Topics Covered:

Top Strategies for Securing Patient Data in Healthcare: Implementing robust encryption, establishing stringent access controls, and conducting regular, role-specific security training are essential for safeguarding patient data in healthcare settings.

AI vs. Traditional Cybersecurity: Pros and Cons: AI-based cybersecurity tools offer real-time threat detection and adaptive learning but can be expensive and prone to false positives, whereas traditional tools are more stable but less effective against sophisticated threats.

How To Manage IoT Security Risks in Healthcare: Securing IoT devices in healthcare requires strong encryption, regular software updates, unique passwords, multi-factor authentication, and network segmentation to mitigate risks and protect sensitive data.


Read the Transcript:

Ep 24 Healthcare Edition: Securing Patient Data, AI vs. Traditional Cybersecurity, IoT Challenges in Healthcare

[00:00:00] Brad Bussie: another issue with AI-based tools is the potential for false positives, as well as hallucinations. And while they're pretty good at detecting anomalies, I've seen where they can actually flag legitimate activities as threats.

[00:00:25] Brad Bussie: Hey everybody. I'm Brad Bussie, chief information security officer here at e360. Thank you for joining me for the State of Enterprise IT Security Edition. This is the show that makes IT security approachable and actionable for technology leaders. I'm happy to bring you some answers to frequently asked questions today.

[00:00:48] What are the best practices for securing patient data in a healthcare setting? Second, what are the advantages and disadvantages of using AI-based cybersecurity tools versus traditional tools? And third, how do we handle the challenge of securing IoT devices used in patient care? And with that, let's get started.

Securing Patient Data in Healthcare

[00:01:16] Brad Bussie: So, what are the best practices for securing patient data in a healthcare setting? And when it comes to keeping patient data secure in healthcare, I mean, I think there's several key strategies that really make a difference. First off, encrypting data. That's pretty crucial. Whether the data is being transmitted or stored using strong encryption methods, and there's a bunch of different ones, AES 256, Leveraging SSL, honestly, we're just ensuring that even if someone intercepts the data, they can't actually read it.[00:02:00] 

[00:02:00] And I would say another important practice are establishing access controls. And this means making sure that only the people who need access to certain information can actually get access to it. To the information and this may seem like basic blocking and tackling for a lot of our listeners But honestly the things that I see that don't go particularly well in a lot of organizations Are the basics the call it blocking and tackling so consider some of this just reminders As far as what good looks like in an organization.

[00:02:44] Now implementing role based access controls as well as multi-factor authentication are pretty important and they can help limit access to sensitive data and reduce the risk of unauthorized breaches. And I would say regular security training, and this is for all staff. And it's a pretty big deal. And it's essential to educate everyone on how to recognize things like phishing attempts, use strong passwords.

[00:03:21] And follow best security practices. And this helps build a culture where everyone is aware and vigilant about security. But I think what we need to do is we need to have. This security training tailored for each job role. So what I see in a lot of organizations is everyone takes the same security training.

[00:03:45] I don't think that's working anymore. I think if you have a payroll specialist, they're going to be seeing something every day. That's probably payroll related and the targets against them are going to be very [00:04:00] similar. Like, Hey, pay this invoice. Or I need to do something, with, with the account. Now, if they are just getting kind of the general basic training, that might not be enough.

[00:04:12] So definitely consider that, inside of your training plan. I would say security monitoring and risk management are pretty critical. And this is regularly monitoring for threats. And you can use tools like intrusion detection system, intrusion prevention systems, and then conducting thorough risk assessments.

[00:04:39] This can help identify and address potential vulnerabilities. And this is before they become serious problems. Regular audits and penetration tests are also and should also be part of your strategy. And of course, complying with regulations. And if we're still talking about healthcare, which I think we will, HIPAA is definitely a must.

[00:05:08] And this involves putting in place the necessary administrative, physical, and technical safeguards to protect patient health information and stay compliant with legal requirements. A lot of areas that I see organizations struggle have to do with this next one, which is having a well defined incident response plan.

[00:05:36] I would say this is a best practice, but that's the word that I want to use, practice. These incident response plans need to actually be practiced with things like tabletops. And really, the intent here is that we're going to be prepared to quickly and effectively respond to any data breaches or [00:06:00] security incidents, which can help minimize the damage and get things back to normal faster.

[00:06:06] So, as I like to say, practice makes progress. And making sure your IT infrastructure overall is secure. for your time. And this includes keeping all software and systems updated with the latest patches to prevent exploitation of known vulnerabilities and using things like secure cloud hosting that they, I mean, they have to comply with health care regulations, and that's really going to help you boost data protection overall.

[00:06:43] And. I think an important one, since we're talking about data, is implementing data minimization and retention policies. And I think this is just smart overall. And what this means is only collecting and keeping the data that you actually need. 


AI-Based Cybersecurity Tools vs. Traditional Tools

[00:07:06] Second topic. And this was actually a question that I've been asked multiple times from healthcare clients. 

[00:07:16] Brad Bussie: What are the advantages and disadvantages of using AI-based cybersecurity tools versus traditional tools? So first and foremost, I mean, AI-based cybersecurity tools. I would say they excel at detecting threats in real time because they're just faster than a person ever could be.

[00:07:40] And they can analyze vast amounts of data quickly and they identify things like patterns and anomalies that might indicate a security threat. This is real-time analysis and it helps in [00:08:00] catching threats. Much faster than traditional tools leveraged by people. And this often is something that, you know, the, the traditional tools, they, they rely on a predefined rule or a signature and AI doesn't necessarily have to do that.

[00:08:21] AI tools I'm finding are more adaptive in nature, and the reason is the tools learn from each incident, and they're continuously improving their detection and response capabilities. So this means that they can adapt to new types of attacks and threats without needing constant manual updates. Which I think is a pretty big limitation of some of the traditional tools.

[00:08:48] And I would say AI-based tools can significantly reduce the workload on IT staff. So again, we are not replacing people. We are augmenting people and we're doing that by automating many of those routine tasks like monitoring. And threat detection and the tools help free up cyber security professionals to focus on more complex issues.

[00:09:19] And this can lead to better overall security management and a more efficient use of resources. However, AI-based tools really aren't without their disadvantages. I would say what I'm seeing right now is one major drawback is the cost of implementing AI-based solutions. It can be pretty expensive.

[00:09:44] It's the buzzword. Everybody is, is investing in this. Lots of organizations are adopting, so it's hot and it's expensive. And if you are building and leveraging this. in your organization, you're going to quickly find [00:10:00] just how expensive it is based on the people you're going to need, the processing you're going to need.

[00:10:05] it's, it's definitely, I think more than, than a lot of us were thinking. So this can require a significant investment, not just in technology, but also in training. Remember I talked in a previous episode about that lack of trained cyber professionals. It's even worse when it comes to AI. So there's, um, there's a complexity of integration.

[00:10:32] So AI tools in order to be effective, they have to integrate into some of our existing systems. And this can be complex and time-consuming. And it's not always like a copilot where it's just included and then pervasive across the stack. some organizations are trying to build some things themselves.

[00:10:53] Or they have data repositories that are not in the traditional places. So this is definitely that, complexity I'm talking about. another issue with AI-based tools is the potential for false positives, as well as hallucinations. And while they're pretty good at detecting anomalies, I've seen where they can actually flag legitimate activities as threats.

[00:11:23] And that leads to not just unnecessary alerts, but disruptions. And I'd say this, this can cause alert fatigue among IT staff. We're trying to reduce that fatigue, but it's actually, in some cases made it worse and it's reduced their overall efficiency of security operations instead of enhancing now, I'd say the com, the comparison and the traditional tools.

[00:11:54] Are generally more predictable, more stable. [00:12:00] And that's because they rely on known threat signatures as well as rules. So I'd say they're often easier to manage and integrate into existing systems. Cause that's what we've been doing forever. I would say, you know, they still struggle with detecting some of these new sophisticated threats that don't match some of those existing patterns.

[00:12:26] And again, this is where AI has that distinct edge, as it can adapt and learn from new threats over time. So choosing between AI-based and traditional based tools It's just going to depend on the organization. What's the specific need, what resources do you have? And I'd say for those that can afford the investment and need real-time, adaptive security, AI-based tools are, are, are pretty great.

[00:13:00] But for organizations looking for stability and predictability, traditional tools might still be the best option. However, I would recommend a hybrid approach. You know, combine both AI-based and traditional tools and get the best of both worlds from each.

Securing IoT Devices in Patient Care

[00:13:20] Brad Bussie: Third question that, that I received, and I've, I've actually gotten this question equally, with the AI question is how can we handle the challenge of securing IoT devices?

[00:13:35] Used in patient care. And I, I consider these, internet of medical things often. So you'll hear me say that. And I would say first it's, it's crucial to implement strong encryption wherever possible on all of these IoT devices, because this ensures that any data transmitted between [00:14:00] devices. And networks is protected from interception as well as unauthorized access.

[00:14:09] Next, regular software updates and patching are essential. And this, this can't happen with all IoT devices, unfortunately. So, IoT devices, they often run on some specialized software that needs to be kept up to date. And the reason is to protect against newly discovered vulnerabilities. Again, you can't do this with all of the IoT, IoMT.

[00:14:37] So I would say, if you can, establish a regular update and make it a schedule. That's going to help you ensure that all devices are protected against those latest threats. And we'll talk a little bit about, well, what do you do if you can't do that? So I would say, another important step is to use strong and unique passwords wherever possible.

[00:15:07] I still come into organizations all the time and I see default passwords and they are still in use. And I would say that is one of the most common entry points for attackers. So make sure you go through and change those to something complex. Unique, but simple enough where you are not making it challenging to maintain and leverage that security.

[00:15:35] Now I would say wherever possible leverage multi-factor authentication, because this just adds that extra layer of security. Now, network segmentation, I would say, is another big key strategy. So, by isolating IoT devices on that, we'll call it a separate network [00:16:00] from either the main hospital or admin network, you can limit the potential damage if a device is compromised.

[00:16:09] So this way, even if an attacker gains access to an IoT device, they won't be able to easily reach other critical systems and data. Another big one is continuously monitoring as well as adding anomaly detection to those networks and implementing tools that can monitor network traffic and detect unusual patterns.

[00:16:37] Can help identify potential security incidents. And it's a lot earlier than we would otherwise know. And this proactive approach, it allows for quicker response times, as well as minimizes the impact of any breach that does happen. And again, you hear me say this a lot, training and awareness. Uh, for healthcare staff is pretty crucial, and that ensures that everyone who interacts with IoT devices understands the importance of securing those devices.

[00:17:14] And what practices to use. And we mentioned this earlier, but I think being able to recognize any phishing attempts, making sure that we are maintaining those strong passwords. Really, we're just trying to create a culture of security within the organization specific to those medical devices that we're leveraging.

[00:17:38] And it's also important to work closely. With the vendors of those medical devices. So ensure that your IoT device suppliers are also following stringent security practices, and they're also providing regular updates as well as support. [00:18:00] So having clear agreements in place regarding security responsibilities can help mitigate risks associated with any.

[00:18:13] Third party device. And finally, you know, regular security assessments and audits, those can help identify and address potential vulnerabilities in your IoT ecosystem. And these assessments should include both technical evaluations as well as policy review to ensure that you have comprehensive security coverage.

[00:18:42] Brad Bussie: So thank you again for joining me and I look forward to the next time on the State of Enterprise IT Security Edition 

Written By: Brad Bussie